Single HEC token or multiple HEC token

keishamtcs · ‎01-15-2019

Hi,

We have around 15 different applications for which we are going to use HEC to collect data. There are two heavy forwarders on which HEC will be configured and manage by a deployment server.

1) Should i use different token for each application or Single token for sending data ?
2) How do i configure HA between the two heavy forwarders. If one heavy forwarder goes 2nd heavy forwarder will send the data ?

Regards

harsmarvania57 · ‎01-16-2019

Hi,

I'll suggest to use different HEC tokens for different apps but it is purely depend on your environment and customer to customer basis.
You can use loadbalancer in between HF and applications to distribute HEC load between different HF (Have a look at docs http://dev.splunk.com/view/event-collector/SP-CAAAE73#scen3 ) but make sure that you need to use same token in both the HF for this functionality.

dkeck · ‎01-15-2019

HI,

I am not quite sure about Nr1. I saw environments where they used a new token for each HEC connection. This might be more secure (?) or just neccesarry.

to Nr2. there is no real HA for HF, you could set up your Universal Forwardes to send to both HF. UF would load balacing to the two HF than., but for your case, with HEC this is not an option.

keishamtcs · ‎01-16-2019

Hi,

Thanks for the response.

For the 2nd point, we are not using UF. Instead it is Serilog which uses a script to send data to splunk.
Do we use a load balancer to distribute the load or modify the script to send the data to both the servers?

Single HEC token or multiple HEC token

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!